RFI Hawk
Trust Center
Operated by Salian Defense Inc.
Last Updated: March 2026
This page documents RFI Hawk's security controls, data handling practices, and compliance roadmap. We believe transparency builds trust. Items marked In Development are actively being built. Items in the Roadmap section are planned but not yet started.
Data Protection
- TLS encryption on all connections between your browser and our servers.
- CSRF protection on all forms and AJAX requests via a global fetch wrapper with X-CSRFToken headers.
- Content Security Policy headers enforced via Talisman, restricting which external resources can load on the page.
- Rate limiting on authentication endpoints and API routes to prevent brute-force and abuse.
- Session management with configurable tier-based limits on concurrent sessions.
- No storage of payment card data. All payment processing is handled directly by Stripe, a PCI DSS Level 1 certified processor. Card numbers never touch our servers.
- Environment-based secrets management. API keys, database credentials, and signing secrets are stored in environment variables, never in source code.
- Sensitive data fields are encrypted at rest using AES-256-GCM. Two-factor authentication secrets and other sensitive credentials are encrypted before storage.
- Encryption key management supports AWS KMS and Azure Key Vault for FedRAMP-authorized deployments. Key rotation is supported via a dedicated CLI tool.
Authentication and Access Control
- Email/password authentication with bcrypt password hashing (PBKDF2-SHA256 key derivation).
- Social login via Supabase Auth supporting Google, Microsoft, GitHub, and Apple sign-in.
- Two-factor authentication (2FA) via TOTP-based authenticator apps (Google Authenticator, Authy, etc.).
- Role-based access control with feature tier gating. Each subscription tier unlocks specific platform capabilities.
- login_required enforcement on all authenticated routes. No user data is accessible without a valid session.
- Automated scanner and bot detection with request blocking for known malicious user agents and patterns.
Application Security
- Security headers enforced on every response:
- HTTP Strict Transport Security (HSTS)
- X-Frame-Options (clickjacking prevention)
- X-Content-Type-Options (MIME sniffing prevention)
- X-XSS-Protection
- Referrer-Policy
- Custom error pages for 403, 404, 429, and 500 responses. Error pages do not disclose server software, stack traces, or internal paths.
- Input validation and parameterized database queries across all routes. User input is never interpolated directly into SQL.
- Structured security event logging with an administrative audit trail. Authentication events, authorization failures, and administrative actions are recorded with timestamps, user IDs, IP addresses, and event context.
Audit and Transparency
- Security event logging for authentication, authorization, and administrative actions. Events are stored in a dedicated security events table with severity levels and category filtering.
- HawkChain immutable audit trail with SHA-256 hash chaining. Every auditable action (proposals, bid decisions, compliance matrices, profile changes) is recorded in a tamper-evident sequence where modifying any record breaks the cryptographic chain.
- Merkle tree anchoring. Daily Merkle root hashes are computed over batches of ledger entries. OpenTimestamps blockchain anchoring is planned for a future release.
- Verification portal at /verify allows external auditors and evaluators to independently verify that a specific record has not been altered since creation using a 12-character verification code.
Infrastructure
- Application hosting on Railway, backed by AWS cloud infrastructure with managed TLS certificates.
- GitHub-based deployment pipeline with automated builds triggered on push to the main branch.
- Environment-based configuration management. No configuration values are hardcoded. All deployments read from environment variables.
- Automated health monitoring with a /health endpoint reporting database connectivity, API availability, and service status.
Compliance Roadmap
The following items are planned investments. They are not current capabilities. This section will be updated as milestones are completed.
- Migration to FedRAMP-authorized infrastructure (AWS GovCloud or Azure Government) to host the application on infrastructure that holds a FedRAMP High Authorization to Operate.
- NIST 800-53 Moderate control mapping and gap analysis to document compliance status against all 300+ controls in the Moderate baseline.
- FIPS 140-2 validated encryption at rest using AES-256-GCM with key management via AWS KMS or Azure Key Vault.
- Third-party security assessment by a FedRAMP-recognized Third Party Assessment Organization (3PAO) to independently validate the platform's security controls.
- Formal incident response procedures and a continuous monitoring program with monthly vulnerability scans and quarterly security reviews.
Third-Party Services
RFI Hawk integrates with the following external services. We minimize the data shared with each service to what is required for functionality.
| Service | Purpose | Data Shared |
|---|---|---|
| Anthropic (Claude) | AI-powered analysis, proposal drafting, compliance checking | Opportunity text, user prompts, proposal section content. No PII sent. |
| Stripe | Payment processing, subscription management | Stripe handles all card data directly. We store only Stripe customer IDs. |
| Supabase | Social login authentication (Google, Microsoft, GitHub, Apple) | OAuth tokens for authentication. No user content is stored in Supabase. |
| SAM.gov | Federal contracting opportunity data and entity verification | Read-only public procurement data. No user data is sent to SAM.gov. |
| Grants.gov | Federal grant opportunity data | Read-only public grant data. No user data is sent. |
Security Contact
To report a security vulnerability or ask questions about our security practices, contact security@saliandefense.com.